What Is an SSL Certificate?

An SSL certificate is a digital credential that authenticates a website and allows the browser and web server to communicate securely with each other. It provides an encrypted connection, protecting data from interception or tampering, including login credentials, payment information, API calls, etc., across all secure web environments.

SSL certificates are the base level of web security and, as such, are the foundation for secure logins, API calls, and financial transactions.

SSL certificates are a major security control that encrypts data during transit, validates server identity, and stops impersonation attacks across digital services. For a CISO, managing certificate strategy is an ongoing risk function with direct implications for compliance, user trust, and exposure to breaches.

The security team has a unique challenge here. SSL encryption stops credential theft, session hijack, and man-in-the-middle attacks. But SSL encryption creates blind spots. Encrypted traffic must still be inspected to catch threats moving through it.

Compliance leaders have their own stake in this. Encryption of data in transit is a requirement or a strong recommendation under PCI DSS, HIPAA, GDPR, and SOC 2. Valid certificates, correct configuration, and proper chain of trust all fall within the audit scope.

Certificates also create operational concerns for IT and infrastructure teams. Expired or misconfigured certificates cause browser warnings, broken authentication, and service outage. Cloud and containerised environments, along with automated certificate provisioning by DevOps teams, enable them to keep pace with deployment velocity.

SSL certificates provide users with assurance beyond just encrypting their data. Before any data is shared, an SSL certificate establishes trust. That trust is provided through a combination of a handshaking process, a set of public and private keys, and a hierarchical structure of trusted Certification Authorities (CAs).

TLS Handshake

A Transport Layer Security (TLS) handshake occurs before a secure data transmission session is established with your browser when you connect to a secure website. The server will present its SSL certificate. Your browser verifies if the certificate was issued by a recognised Certificate Authority (CA).

Upon verification that the SSL Certificate is valid, trusted, and not expired, both parties agree on a temporary session key to encrypt all subsequent communications. In their browser, each user can see a padlock icon and the HTTPS prefix in the browser address bar.

Public and Private Keys

SSL certificates use asymmetric cryptography, which applies two mathematically related keys that operate together. The public key is located within the SSL certificate and can be viewed by anyone. The private key resides solely on the server. Any information encrypted with the public key can only be decrypted with the corresponding private key. Regardless of how much an attacker may have intercepted during the data transmission, the attacker will not be able to view the data.

Private key security is absolutely non-negotiable. In the event of a compromised private key, all security assurances made by the SSL certificate become void. SSL inspection must anchor any detection strategy—encryption that protects legitimate traffic protects malicious payloads equally.

Certificate Authorities (CAs)

CAs, such as DigiCert, Sectigo, and Let’s Encrypt, are third-party entities that issue and digitally sign SSL certificates. Most browsers and operating systems include a pre-defined list of trusted root CAs. Certificates signed by unrecognised or compromised CAs trigger a browser warning flagging the connection as insecure.

The CA/Browser Forum creates, maintains, and enforces the standards all CAs must meet to create and maintain trust. Security Architects should understand that this chain of trust begins at the root CA, continues down to the intermediate CA, and then to the end-entity certificate, ensuring proper security and enabling diagnosis of TLS misconfigurations before they become exploitable gaps.

“SSL certificate” is still the term the industry uses, but SSL itself is long gone. TLS is the protocol actually securing connections today. SSL 2.0 and 3.0 were retired due to critical vulnerabilities, and TLS 1.0 and 1.1 have since been retired. Organisations still running either protocol are exposed to well-documented attacks.

Security teams should audit all environments to confirm no systems still accept SSL 3.0 or TLS 1.0/1.1.

SSL certificates vary in how the issuing CA identifies web property (validation level) and in how many domains a single certificate can cover (coverage scope).

Validation Level

Certificates are based upon validation level, including:

• Domain-Validated (DV) certificates are verified through an applicant’s control of a domain name. A CA does not check any organisational identification data. It’s the quickest and least expensive of the three; however, it’s often issued to phishing sites. While a DV certificate provides encryption to the user, it provides very little, if any, identity verification.
• Organisation-Validated (OV) certificates have a CA confirm that the applicant has domain ownership, along with basic organisational information. OV certificates are suitable for business websites or enterprise services, as they provide a reasonable level of identity verification for such applications.
• Extended Validation (EV) certificates provide the greatest level of identity verification through the most rigorous validation process. The CA validates the applicant’s organisation to ensure that it exists legally, physically, and operationally. EV certificates deliver the highest level of identity verification—critical for organisations where customer trust and compliance are under scrutiny.

Coverage Scope

There are three coverage scopes for SSL/TLS certificates, including:

• Single-domain certificates cover only one specific domain.
• Wildcard certificates cover a domain and all of its first-level sub-domains. This makes wildcard certificates easier to manage in larger organisations. However, this configuration could create a problem in which a compromised private key would expose every subdomain.
• Multi-domain (SAN) certificates can cover up to 100 domains under a single certificate. This is useful for organisations with numerous web properties.

When choosing between wildcard and single-domain certificates, security architects should consider whether the increased ease of use provided by wildcard certificates outweighs the potential increased risk.

The “padlock” symbol on a web browser, while indicative of an HTTPS (encrypted) connection, does NOT mean that a website is secure. The difference between the two is a common misconception used by cyber-attackers.

For many years, consumers have trusted the “padlock” symbol. Cyber-attackers have exploited this. DV Certificates are free, instant, and routinely abused by threat actors. They use these certificates to create valid phishing websites that display a “padlock”, load content via HTTPS, and pass the first level of trust testing performed by most users.

The padlock once signalled safety—today, phishing sites exploit HTTPS to weaponize that assumption.

SSL certificates do one thing well: they secure data transmitted between browser and server. But that narrow assurance is routinely mistaken for something broader.

CISOs should ensure security awareness training reflects this clearly. Users trained to equate the padlock with safety are easier to phish—not harder. That misplaced trust is exactly what today’s threat actors exploit.

Every SSL certificate is a structured digital document. If you look at one closely in your browser, you’ll see the following fields:

Anyone can see most of these fields. Click the padlock icon in the address bar to check a site’s certificate. This is a good habit for security-conscious users who want to know what a certificate really says, not just whether one exists.

Large-scale certificate management poses legitimate operational and security risks. The root cause of nearly all certificate-related incidents is poor visibility into the certificates within an organisation, their locations, and their expiration dates.

Expired certificates trigger browser warnings and service disruptions—and unmanaged certificates routinely surface during attack surface assessments.

Best Practices for Managing the Certificate Life Cycle

1. Build a certificate inventory. Identify every certificate present within the organisation (domain name, issuing CA, expiration date, responsible team, and affected systems). This should include internal certificates created for Service-to-Service communication, not just public-facing certificates. You cannot manage what you cannot see.
2. Automate the renewal process. Manual renewal creates unnecessary risk. Use the ACME Protocol for automated renewal, if available, and set up alerts at 60, 30, and 14 days before the certificate’s expiration. As part of formal change management processes, include renewals.
3. Monitor certificate transparency logs. Certificate Transparency Logs are public, append-only records of every certificate issued by trusted Certificate Authorities. Set up alerting for any certificate issued for your domains (and their sub-domains), even if it is a sub-domain that you did not anticipate. Issuance of unauthorised certificates may be an early indicator of phishing infrastructure and/or Brand Impersonation Campaigns.
4. Ensure your organisation’s TLS configuration is secure. Check every system for its support of different versions of TLS and disable SSL 3.0, TLS 1.0, and TLS 1.1. Mandate a minimum of TLS 1.2 and use TLS 1.3 whenever possible.
5. Evaluate the risks associated with using wildcard certificates. When there are high-value and/or sensitive subdomains, consider evaluating the risk of using individually scoped certificates as opposed to wildcard certificates.
6. Include certificates in vendor risk assessments. Add certificate hygiene and TLS configuration to vendor security questionnaires and contract renewals.

The role of certificate management in organisations has changed. This is due to various advancements, including:

Certificate Automation

Many organisations have started using automated certificate management protocols (such as ACME) and new tools to manage certificates. Manual certificate management methods are no longer viable for large-scale use, as many organisations move toward shorter certificate validity terms. As the CA/browser forum continues to reduce the validity period of certificates, automation will become mandatory.

Monitoring of Certificate Transparency Logs

Monitoring certificate transparency logs is becoming more than just a compliance checkbox; security professionals increasingly use it as an early warning system to detect unauthorised certificate issuances and identify phishing infrastructure.

Mutual TLS and Zero Trust

Mutual TLS is a required component of zero-trust architectures. In turn, the certificate management process will need to evolve beyond just protecting the web and provide strong authentication between services. As such, CISOs and security architects should view crypto agility (the capability to replace cryptographic algorithms without requiring a complete overhaul of the system) as a minimum design criterion when creating new systems.

Quantum Resistant Cryptography

TLS currently uses mathematics that researchers are actively trying to break using quantum computers. NIST’s post-quantum cryptographic standards will require certificate management systems to evolve—CISOs who aren’t planning that transition alongside zero-trust implementation are already behind.

Certificates are the basic building blocks for your organisation’s security needs as they encrypt your data in transit. However, they do nothing to stop phishing scams, account takeovers, malware, or insider threats. A mature, multi-layered defence-in-depth security programme incorporates SSL, along with solutions to secure against those threats that SSL can’t, like:

• Email security: Stops phishing attempts from reaching an HTTPS phishing site by intercepting them before they reach the site.
• URL and web filtering: Provides additional contextual analysis of URLs beyond just the validity of a URL’s certificate. This includes analysis of the age of a URL’s domain name, its hosting infrastructure, and the behavioural characteristics of a link.
• Identity and access management (IAM): Secures usernames and passwords if a phishing scam convinces a user that a site is legitimate.
• Data loss prevention (DLP): Encrypts your data in use and at rest. DLP provides an additional layer of security but does not rely on encrypting your data to protect it.
• Identity threat detection and response (ITDR): Identifies and contains threats that are using SSL to hide malicious activity.

For security architects, certificate infrastructure intersects with IAM, Public Key Infrastructure (PKI), zero trust architecture, and network security architecture. As such, certificate infrastructure should receive the same level of planning and strategy as all other foundational security components.